MongoDB Create Database Username Password to Secure Data
Introduction
As long as the Mongodb database port is open on your server any computer can connect to your database and modify, read, or delete your MongoDB data. This article is about MongoDB creating a database username and password which will allow you to secure your data.
Mongodb Enable Authentication
MongoDB is directly connected by default, no authentication is required. If the current computer can access the public network and ignore the open state of the Mongodb port (the default is 27017), Mongodb creates a security risk and can be used to invade the database.
Read Also: Learn How to secure MongoDB Community Version Using Authentication (https://kb.objectrocket.com/mongo-db/learn-how-to-secure-mongodb-community-version-using-authentication-part-3-489)
If you need to use security authentication for your MongoDB database, you must use auth to enable security auditing. Only users with database authentication can read, write, and verify account security.
How to Create Database in MongoDB?
The MongoDB syntax for creating a database is as follows:
1 | use DATABASE_NAME |
If the database does not exist, create a database, otherwise switch to the specified database.
Example: In the following example, we created the database Objectrocket:
1 2 3 4 5 | > use objectrocket switched to db objectrocket > db objectrocket > |
If you want to see all the databases, you can use the show dbs command:
1 2 3 4 5 | > show dbs admin 0.000GB config 0.000GB local 0.000GB > |
As you can see, the newly created Objectrocket database is not included in the list of databases. To show it, we need to put some data in the objectrocket database.
1 2 3 4 5 6 7 | > db.objectrocket.insert({"name":" objectrocket Tutorial"}) WriteResult({ "nInserted" : 1 }) > show dbs admin 0.000GB config 0.000GB local 0.000GB objectrocket 0.000GB |
The default database in MongoDB is test
. If you do not create a new database, the collection is stored in a test database.
Note: In MongoDB, collections are created only after inserting content! That is, after creating a collection (data table), a document (record) is inserted and actually a collection is created.
MongoDB Create Database Username Password
In this section I will guide you through creating a database username and password so that you can protect your data. Here are the steps to take for creating username and password.
Vulnerable Environment
- Run Mongodb with Mongod standard command
- Access to the device is possible via the public network.
- Open the port of Mongodb in the public network
Security Risk
- Database privacy leak
- Database deleted
- The database is slow
Solutions
- Prohibit public network access to Mongodb port
- Network configuration – Because network configuration varies from person to person, it must be configured for the actual environment and no redundancy is required. On the following aspects it may be prohibited.
- Disable port forwarding in the router
- Iptables Firewall forbidden access
Verify how the port can be accessed
Run the external network from the machine’s command line
telnet your.machine.open.ip 27017
Verify how the port can be accessed
Run the external network from the machine’s command line:
1 | telnet your.machine.open.ip 27017 |
Enable Verification
Create a user administrator account Current database version: Mongodb 3.4 Start database with Mongod New terminal:
1 | mongod --port 27017 --dbpath /data/db1 |
By default, parameters can be added. If custom parameters exist, they must be added.
In another terminal, run the following command.
1 2 3 4 5 6 7 8 9 10 11 | mongo --port 27017 use admin db.createUser( { user: "admin", pwd: "Password", roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] } ) |
The administrator was created successfully and now has a user administrator. Username: admin Password: password Then disconnect the Mongodb connection, and close the database. You can do this by hitting Cmd-C on Mac or Ctrl-C on Windows.
Mongodb user verification login
Run Mongodb with access control In a new terminal run:
1 | mongod --auth --port 27017 --dbpath /data/db1 |
Now there are two ways to verify the identity of the user. The first way is similar to MySql. The second one is to specify the username, password, and database name when the client connects.
1 | mongo --port 27017 -u "admin" -p "password" --authenticationDatabase "admin" |
After the client connects, verify it again.
1 2 3 4 5 6 | mongo --port 27017 use admin db.auth("admin", "password") // Output 1 means successful verification |
How to create a simple user?
Let’s continue on with this article about Mongodb creating database username and password and let’s take one step more to understand how to create a simple user. This process is similar to creating an administrator account, but the role is different.
1 2 3 4 5 6 7 8 9 10 | use foo db.createUser( { user: "simpleUser", pwd: "simplePass", roles: [ { role: "readWrite", db: "foo" }, { role: "read", db: "bar" } ] } ) |
Now we have a simple user Username: simpleUser Password: simplePass Permissions: read and write database foo, read-only database bar.
Please Note: Using foo means that the user is created in the foo library. Therefore, the foo library must verify the identity, ie the user’s information follows the database. Although the simpleUser named above has permission to read the bar library, it must first authenticate in the foo library. Direct access leads to a validation error.
1 2 3 4 5 | use foo db.auth("simpleUser", "simplePass") use bar show collections |
Another thing to keep in mind is that, by default, the connection method still has super permissions when there are no users in the administration library, even if users are created in other databases.
MongoDB Database Roles
Built-in roles
Database user role: read, readWrite Database management roles: dbOwner, dbAdmin, userAdmin Cluster management roles: clusterManager ,clusterAdmin, hostManager , clusterMonitor Backup recovery role: restore, backup All database roles: readWriteAnyDatabase , readAnyDatabase, dbAdminAnyDatabase , userAdminAnyDatabase Superuser role: root // There are several roles that provide indirect or direct access to the system superuser (userAdmin, dbOwner, userAdminAnyDatabase) Internal role: system
Role descriptions
Read: Allow users to read the specified database. readWrite: Allow the user to read and write to the specified database userAdmin: Allows users to write to the system. users collection. You can create, delete, and manage users in the specified database. clusterAdmin: Available only in the administrator database, which gives the user administrator rights to all shards and replication set related functions. dbAdmin: This allows the users to run administrative functions in a specified database, such as, creating an index, viewing statistics , deleting, , or accessing system profile. readAnyDatabase: is only available in the administrator database and give the user read access to all databases. userAdminAnyDatabase: is only available in the Administrator database and give all databases userAdmin permissions. readWriteAnyDatabase: is only available in the administrator database and give the user read and write permissions to all databases. dbAdminAnyDatabase: is only available in the administrator database and give the user dbAdmin rights for all databases. Root: This is only accessible in the admin database. Super account, great resolution
Conclusion
When using the database, we must be aware of security risks. Due to the default configuration of Mongodb, the database is at risk of intrusion and must be prevented by creating database usernames and passwords. If you’re worried that your database security is not configured properly please reach out to us at Object Rocket and your data will be in safe hands.
Pilot the ObjectRocket Platform Free!
Try Fully-Managed CockroachDB, Elasticsearch, MongoDB, PostgreSQL (Beta) or Redis.
Get Started